asciigoat
/
httools
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
asciigoat's .htaccess and .htpasswd parser https://asciigoat.org/httools
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
2 Branches
0 Tags
448 KiB
 
 
Tree: daf8e7d76f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daf8e7d76f'
${ noResults }
httools/htpasswd/htpasswd.go

317 lines
7.0 KiB
Raw Blame History

// Package htpasswd contains utilities for manipulating .htpasswd files
package htpasswd
import (
"bytes"
"crypto/rand"
"crypto/sha1"
"encoding/base64"
"errors"
"fmt"
"os"
"strings"
"github.com/GehirnInc/crypt/apr1_crypt"
"golang.org/x/crypto/bcrypt"
)
// Passwds name => hash
type Passwds map[string]string
// HashAlgorithm enum for hashing algorithms
type HashAlgorithm string
const (
// HashAPR1 Apache MD5 crypt
HashAPR1 HashAlgorithm = "apr1"
// HashBCrypt bcrypt
HashBCrypt HashAlgorithm = "bcrypt"
// HashSHA SHA
HashSHA HashAlgorithm = "sha"
// HashSSHA Salted SHA
HashSSHA HashAlgorithm = "ssha"
)
// ParseHtpasswdFile parses a .htpasswd file
// and returns a Passwd type
func ParseHtpasswdFile(file string) (Passwds, error) {
htpasswdBytes, err := os.ReadFile(file)
if err != nil {
return nil, err
}
return ParseHtpasswd(htpasswdBytes)
}
// ParseHtpasswd parses a slice of bytes in htpasswd style
func ParseHtpasswd(htpasswdBytes []byte) (Passwds, error) {
lines := strings.Split(string(htpasswdBytes), "\n")
passwords := make(map[string]string)
var err error
for lineNumber, line := range lines {
line = strings.Trim(line, " ")
if len(line) == 0 {
// skipping empty lines
continue
}
parts := strings.Split(line, ":")
if ok, err := validLine(parts, lineNumber, line); !ok {
return passwords, err
}
parts = trimParts(parts)
_, exists := passwords[parts[0]]
if exists {
err = errors.New("invalid htpasswords file - user " +
parts[0] + " defined more than once")
return passwords, err
}
passwords[parts[0]] = parts[1]
}
return passwords, err
}
func validLine(parts []string, lineNumber int, line string) (bool, error) {
var err error
if len(parts) != 2 {
err = errors.New(fmt.Sprintln("invalid line", lineNumber+1,
"unexpected number of parts split by", ":", len(parts),
"instead of 2 in\"", line, "\""))
return false, err
}
return true, nil
}
func trimParts(parts []string) []string {
for i, part := range parts {
parts[i] = strings.Trim(part, " ")
}
return parts
}
// CreateUser creates a record in the named file with
// the named password and hash algorithm
func CreateUser(file, user, passwd string, algo HashAlgorithm) error {
pp, err := ParseHtpasswdFile(file)
if err != nil {
return err
}
if _, exists := pp[user]; exists {
return fmt.Errorf("user %s already exists", user)
}
h, err := createHash(passwd, algo)
if err != nil {
return err
}
pp[user] = h
return os.WriteFile(file, pp.toByte(), os.ModePerm)
}
// UpdateUser will update the password for the named user
// in the named file
func UpdateUser(file, user, passwd string, algo HashAlgorithm) error {
pp, err := ParseHtpasswdFile(file)
if err != nil {
return err
}
if _, exists := pp[user]; !exists {
return fmt.Errorf("user %s does not exist", user)
}
h, err := createHash(passwd, algo)
if err != nil {
return err
}
pp[user] = h
return os.WriteFile(file, pp.toByte(), os.ModePerm)
}
// DeleteUser deletes the named user from the named file
func DeleteUser(file, user string) error {
pp, err := ParseHtpasswdFile(file)
if err != nil {
return err
}
if _, exists := pp[user]; !exists {
return fmt.Errorf("user %s does not exist", user)
}
delete(pp, user)
return os.WriteFile(file, pp.toByte(), os.ModePerm)
}
// VerifyUser will check if the given user and password are matching
// with the contect of the given file
func VerifyUser(file, user, passwd string) error {
pp, err := ParseHtpasswdFile(file)
if err != nil {
return err
}
if _, ok := pp[user]; !ok {
return fmt.Errorf("user %s does not exist", user)
}
alg, err := identifyHash(pp[user])
if err != nil {
return fmt.Errorf("cannot identify algo %v", alg)
}
return verifyPass(passwd, pp[user], alg)
}
func verifyPass(pass, hash string, alg HashAlgorithm) error {
switch alg {
case HashAPR1:
return verifyAPR1(pass, hash)
case HashBCrypt:
return bcrypt.CompareHashAndPassword([]byte(hash), []byte(pass))
case HashSHA:
return verifySHA(pass, hash)
case HashSSHA:
return verifySSHA(pass, hash)
}
return fmt.Errorf("unsupported hash algorithm %v", alg)
}
func verifyAPR1(password, hashedPassword string) error {
return apr1_crypt.New().Verify(hashedPassword, []byte(password))
}
func verifySHA(password, hashedPassword string) error {
eppS := hashedPassword[5:]
hash, err := base64.StdEncoding.DecodeString(eppS)
if err != nil {
return fmt.Errorf("cannot base64 decode")
}
sha := sha1.New()
_, err = sha.Write([]byte(password))
if err != nil {
return err
}
sum := sha.Sum(nil)
if !bytes.Equal(sum, hash) {
return fmt.Errorf("wrong password")
}
return nil
}
func verifySSHA(password, hashedPassword string) error {
eppS := hashedPassword[6:]
hash, err := base64.StdEncoding.DecodeString(eppS)
if err != nil {
return fmt.Errorf("cannot base64 decode")
}
salt := hash[len(hash)-4:]
sha := sha1.New()
_, err = sha.Write([]byte(password))
if err != nil {
return err
}
_, err = sha.Write(salt)
if err != nil {
return err
}
sum := sha.Sum(nil)
if !bytes.Equal(sum, hash[:len(hash)-4]) {
return fmt.Errorf("wrong password")
}
return nil
}
func (pp *Passwds) toByte() []byte {
pass := []byte{}
for name, hash := range *pp {
pass = append(pass, []byte(name+":"+hash+"\n")...)
}
return pass
}
func identifyHash(h string) (HashAlgorithm, error) {
switch {
case strings.HasPrefix(h, "$2a$"), strings.HasPrefix(h, "$2y$"), strings.HasPrefix(h, "$2x$"), strings.HasPrefix(h, "$2b$"):
return HashBCrypt, nil
case strings.HasPrefix(h, "$apr1$"):
return HashAPR1, nil
case strings.HasPrefix(h, "{SHA}"):
return HashSHA, nil
case strings.HasPrefix(h, "{SSHA}"):
return HashSSHA, nil
}
return "", fmt.Errorf("unsupported hash algorithm")
}
func createHash(passwd string, algo HashAlgorithm) (string, error) {
hash := ""
prefix := ""
var err error
switch algo {
case HashAPR1:
hash, err = hashApr1(passwd)
case HashBCrypt:
hash, err = hashBcrypt(passwd)
case HashSHA:
prefix = "{SHA}"
hash, err = hashSha(passwd)
case HashSSHA:
prefix = "{SSHA}"
hash, err = hashSSha(passwd)
}
if err != nil {
return "", err
}
return prefix + hash, nil
}
func hashApr1(passwd string) (string, error) {
return apr1_crypt.New().Generate([]byte(passwd), nil)
}
func hashBcrypt(passwd string) (string, error) {
passwordBytes, err := bcrypt.GenerateFromPassword([]byte(passwd), bcrypt.DefaultCost)
if err != nil {
return "", err
}
return string(passwordBytes), nil
}
func hashSha(passwd string) (string, error) {
s := sha1.New()
_, err := s.Write([]byte(passwd))
if err != nil {
return "", err
}
passwordSum := []byte(s.Sum(nil))
return base64.StdEncoding.EncodeToString(passwordSum), nil
}
func hashSSha(passwd string) (string, error) {
s := sha1.New()
_, err := s.Write([]byte(passwd))
if err != nil {
return "", err
}
salt := make([]byte, 4)
_, err = rand.Read(salt)
if err != nil {
return "", err
}
_, err = s.Write([]byte(salt))
if err != nil {
return "", err
}
passwordSum := []byte(s.Sum(nil))
ret := append(passwordSum, salt...)
return base64.StdEncoding.EncodeToString(ret), nil
}